Release 8.7.11_GA_1854.RHEL7_64_20170531151956 RHEL7_64 FOSS edition.
I've setup iptables using the rule in the official zimbra howto
Code: Select all
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -s XX.XX.XX.XX/32 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m multiport -p tcp --dports 67,68,135,137,138,139,445,631,1025 -j DROP
-A RH-Firewall-1-INPUT -m multiport -p udp --dports 67,68,135,137,138,139,445,631,1025 -j DROP
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# enable ssh and snmp
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s XX.XX.XX.XX
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s XX.XX.XX.XX
# enable zimbra ports
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s XX.XX.XX.XX
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s XX.XX.XX.XX/32
# reject everything else
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
My actual filter.d/zimbra.conf is
Code: Select all
# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:
# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
I've tried different regex using fail2ban-regex against different log file, but nothing matched!
in the mailbox log (/opt/zimbra/log/mailbox.log) I see line like:
2017-11-14 14:25:26,005 INFO [qtp127618319-44766:https:https://xxxxxxxxxxxxxxxxxxxxxxxxx.xx:7073/service/admin/soap/] [] misc - Access from IP XX.XX.XX.XX suspended, for repeated failed login.
but iptables jail are clean! Who is banning?
Can you please give me a regex to match line like:
2017-11-09 17:02:51,601 INFO [qtp127618319-185:http://localhost:8080/service/soap/AuthRequest] [name=address.xx;oip=XX.XX.XX.XX;ua=zclient/8.7.11_GA_1854;] SoapEngine - handler exception: authentication failed for [xxx@xxxx.xx], invalid password
The iptables configuration is correct?
Thank you in advance!